package org.keycloak.federation.ldap.mappers;

import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.TreeSet;
import org.jboss.logging.Logger;
import org.keycloak.federation.ldap.LDAPFederationProvider;
import org.keycloak.federation.ldap.idm.model.LDAPDn;
import org.keycloak.federation.ldap.idm.model.LDAPObject;
import org.keycloak.federation.ldap.idm.query.QueryParameter;
import org.keycloak.federation.ldap.idm.query.internal.LDAPQuery;
import org.keycloak.federation.ldap.idm.query.internal.LDAPQueryConditionsBuilder;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ModelException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleContainerModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserFederationMapperModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.UserModelDelegate;

/* loaded from: input_file:org/keycloak/federation/ldap/mappers/RoleLDAPFederationMapper.class */
public class RoleLDAPFederationMapper extends AbstractLDAPFederationMapper {
    private static final Logger logger = Logger.getLogger(RoleLDAPFederationMapper.class);
    public static final String ROLES_DN = "roles.dn";
    public static final String ROLE_NAME_LDAP_ATTRIBUTE = "role.name.ldap.attribute";
    public static final String MEMBERSHIP_LDAP_ATTRIBUTE = "membership.ldap.attribute";
    public static final String ROLE_OBJECT_CLASSES = "role.object.classes";
    public static final String USE_REALM_ROLES_MAPPING = "use.realm.roles.mapping";
    public static final String CLIENT_ID = "client.id";
    public static final String MODE = "mode";
    private Set<String> rolesSyncedModels = new TreeSet();

    /* loaded from: input_file:org/keycloak/federation/ldap/mappers/RoleLDAPFederationMapper$LDAPRoleMappingsUserDelegate.class */
    public class LDAPRoleMappingsUserDelegate extends UserModelDelegate {
        private final UserFederationMapperModel mapperModel;
        private final LDAPFederationProvider ldapProvider;
        private final LDAPObject ldapUser;
        private final RealmModel realm;
        private final Mode mode;
        private Set<RoleModel> cachedLDAPRoleMappings;

        public LDAPRoleMappingsUserDelegate(UserModel userModel, UserFederationMapperModel userFederationMapperModel, LDAPFederationProvider lDAPFederationProvider, LDAPObject lDAPObject, RealmModel realmModel, Mode mode) {
            super(userModel);
            this.mapperModel = userFederationMapperModel;
            this.ldapProvider = lDAPFederationProvider;
            this.ldapUser = lDAPObject;
            this.realm = realmModel;
            this.mode = mode;
        }

        public Set<RoleModel> getRealmRoleMappings() {
            RoleContainerModel targetRoleContainer = RoleLDAPFederationMapper.this.getTargetRoleContainer(this.mapperModel, this.realm);
            if (!targetRoleContainer.equals(this.realm)) {
                return super.getRealmRoleMappings();
            }
            Set<RoleModel> lDAPRoleMappingsConverted = getLDAPRoleMappingsConverted(this.mapperModel, this.ldapProvider, this.ldapUser, targetRoleContainer);
            if (this.mode == Mode.LDAP_ONLY) {
                return lDAPRoleMappingsConverted;
            }
            lDAPRoleMappingsConverted.addAll(super.getRealmRoleMappings());
            return lDAPRoleMappingsConverted;
        }

        public Set<RoleModel> getClientRoleMappings(ClientModel clientModel) {
            RoleContainerModel targetRoleContainer = RoleLDAPFederationMapper.this.getTargetRoleContainer(this.mapperModel, this.realm);
            if (!targetRoleContainer.equals(clientModel)) {
                return super.getClientRoleMappings(clientModel);
            }
            Set<RoleModel> lDAPRoleMappingsConverted = getLDAPRoleMappingsConverted(this.mapperModel, this.ldapProvider, this.ldapUser, targetRoleContainer);
            if (this.mode == Mode.LDAP_ONLY) {
                return lDAPRoleMappingsConverted;
            }
            lDAPRoleMappingsConverted.addAll(super.getClientRoleMappings(clientModel));
            return lDAPRoleMappingsConverted;
        }

        public boolean hasRole(RoleModel roleModel) {
            return KeycloakModelUtils.hasRole(getRoleMappings(), roleModel);
        }

        public void grantRole(RoleModel roleModel) {
            if (this.mode != Mode.LDAP_ONLY) {
                super.grantRole(roleModel);
                return;
            }
            if (!roleModel.getContainer().equals(RoleLDAPFederationMapper.this.getTargetRoleContainer(this.mapperModel, this.realm))) {
                super.grantRole(roleModel);
            } else {
                this.cachedLDAPRoleMappings = null;
                RoleLDAPFederationMapper.this.addRoleMappingInLDAP(this.mapperModel, roleModel.getName(), this.ldapProvider, this.ldapUser);
            }
        }

        public Set<RoleModel> getRoleMappings() {
            Set<RoleModel> roleMappings = super.getRoleMappings();
            RoleContainerModel targetRoleContainer = RoleLDAPFederationMapper.this.getTargetRoleContainer(this.mapperModel, this.realm);
            Set<RoleModel> lDAPRoleMappingsConverted = getLDAPRoleMappingsConverted(this.mapperModel, this.ldapProvider, this.ldapUser, targetRoleContainer);
            if (this.mode == Mode.LDAP_ONLY) {
                for (RoleModel roleModel : new HashSet(roleMappings)) {
                    if (roleModel.getContainer().equals(targetRoleContainer)) {
                        roleMappings.remove(roleModel);
                    }
                }
            }
            roleMappings.addAll(lDAPRoleMappingsConverted);
            return roleMappings;
        }

        protected Set<RoleModel> getLDAPRoleMappingsConverted(UserFederationMapperModel userFederationMapperModel, LDAPFederationProvider lDAPFederationProvider, LDAPObject lDAPObject, RoleContainerModel roleContainerModel) {
            if (this.cachedLDAPRoleMappings != null) {
                return new HashSet(this.cachedLDAPRoleMappings);
            }
            List<LDAPObject> lDAPRoleMappings = RoleLDAPFederationMapper.this.getLDAPRoleMappings(userFederationMapperModel, lDAPFederationProvider, lDAPObject);
            HashSet hashSet = new HashSet();
            String roleNameLdapAttribute = RoleLDAPFederationMapper.this.getRoleNameLdapAttribute(userFederationMapperModel);
            Iterator<LDAPObject> it = lDAPRoleMappings.iterator();
            while (it.hasNext()) {
                String attributeAsString = it.next().getAttributeAsString(roleNameLdapAttribute);
                RoleModel role = roleContainerModel.getRole(attributeAsString);
                if (role == null) {
                    role = roleContainerModel.addRole(attributeAsString);
                }
                hashSet.add(role);
            }
            this.cachedLDAPRoleMappings = new HashSet(hashSet);
            return hashSet;
        }

        public void deleteRoleMapping(RoleModel roleModel) {
            if (!roleModel.getContainer().equals(RoleLDAPFederationMapper.this.getTargetRoleContainer(this.mapperModel, this.realm))) {
                super.deleteRoleMapping(roleModel);
                return;
            }
            LDAPQuery createRoleQuery = RoleLDAPFederationMapper.this.createRoleQuery(this.mapperModel, this.ldapProvider);
            LDAPQueryConditionsBuilder lDAPQueryConditionsBuilder = new LDAPQueryConditionsBuilder();
            createRoleQuery.where(lDAPQueryConditionsBuilder.equal(new QueryParameter(RoleLDAPFederationMapper.this.getRoleNameLdapAttribute(this.mapperModel)), roleModel.getName())).where(lDAPQueryConditionsBuilder.equal(new QueryParameter(RoleLDAPFederationMapper.this.getMembershipLdapAttribute(this.mapperModel)), this.ldapUser.getDn().toString()));
            LDAPObject firstResult = createRoleQuery.getFirstResult();
            if (firstResult == null) {
                if (this.mode == Mode.READ_ONLY) {
                    super.deleteRoleMapping(roleModel);
                }
            } else {
                if (this.mode == Mode.READ_ONLY) {
                    throw new ModelException("Not possible to delete LDAP role mappings as mapper mode is READ_ONLY");
                }
                this.cachedLDAPRoleMappings = null;
                RoleLDAPFederationMapper.this.deleteRoleMappingInLDAP(this.mapperModel, this.ldapProvider, this.ldapUser, firstResult);
            }
        }
    }

    /* loaded from: input_file:org/keycloak/federation/ldap/mappers/RoleLDAPFederationMapper$Mode.class */
    public enum Mode {
        LDAP_ONLY,
        IMPORT,
        READ_ONLY
    }

    @Override // org.keycloak.federation.ldap.mappers.LDAPFederationMapper
    public void onImportUserFromLDAP(UserFederationMapperModel userFederationMapperModel, LDAPFederationProvider lDAPFederationProvider, LDAPObject lDAPObject, UserModel userModel, RealmModel realmModel, boolean z) {
        syncRolesFromLDAP(userFederationMapperModel, lDAPFederationProvider, realmModel);
        if (getMode(userFederationMapperModel) == Mode.IMPORT && z) {
            List<LDAPObject> lDAPRoleMappings = getLDAPRoleMappings(userFederationMapperModel, lDAPFederationProvider, lDAPObject);
            String roleNameLdapAttribute = getRoleNameLdapAttribute(userFederationMapperModel);
            Iterator<LDAPObject> it = lDAPRoleMappings.iterator();
            while (it.hasNext()) {
                String attributeAsString = it.next().getAttributeAsString(roleNameLdapAttribute);
                RoleModel role = getTargetRoleContainer(userFederationMapperModel, realmModel).getRole(attributeAsString);
                logger.debugf("Granting role [%s] to user [%s] during import from LDAP", attributeAsString, userModel.getUsername());
                userModel.grantRole(role);
            }
        }
    }

    @Override // org.keycloak.federation.ldap.mappers.LDAPFederationMapper
    public void onRegisterUserToLDAP(UserFederationMapperModel userFederationMapperModel, LDAPFederationProvider lDAPFederationProvider, LDAPObject lDAPObject, UserModel userModel, RealmModel realmModel) {
        syncRolesFromLDAP(userFederationMapperModel, lDAPFederationProvider, realmModel);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void syncRolesFromLDAP(UserFederationMapperModel userFederationMapperModel, LDAPFederationProvider lDAPFederationProvider, RealmModel realmModel) {
        if (this.rolesSyncedModels.contains(userFederationMapperModel.getId())) {
            return;
        }
        logger.debugf("Syncing roles from LDAP into Keycloak DB. Mapper is [%s], LDAP provider is [%s]", userFederationMapperModel.getName(), lDAPFederationProvider.getModel().getDisplayName());
        List<LDAPObject> resultList = createRoleQuery(userFederationMapperModel, lDAPFederationProvider).getResultList();
        RoleContainerModel targetRoleContainer = getTargetRoleContainer(userFederationMapperModel, realmModel);
        String roleNameLdapAttribute = getRoleNameLdapAttribute(userFederationMapperModel);
        Iterator<LDAPObject> it = resultList.iterator();
        while (it.hasNext()) {
            String attributeAsString = it.next().getAttributeAsString(roleNameLdapAttribute);
            if (targetRoleContainer.getRole(attributeAsString) == null) {
                logger.infof("Syncing role [%s] from LDAP to keycloak DB", attributeAsString);
                targetRoleContainer.addRole(attributeAsString);
            }
        }
        this.rolesSyncedModels.add(userFederationMapperModel.getId());
    }

    public LDAPQuery createRoleQuery(UserFederationMapperModel userFederationMapperModel, LDAPFederationProvider lDAPFederationProvider) {
        LDAPQuery lDAPQuery = new LDAPQuery(lDAPFederationProvider);
        lDAPQuery.setSearchScope(lDAPFederationProvider.getLdapIdentityStore().getConfig().getSearchScope());
        lDAPQuery.setSearchDn(getRolesDn(userFederationMapperModel));
        lDAPQuery.addObjectClasses(getRoleObjectClasses(userFederationMapperModel, lDAPFederationProvider));
        String roleNameLdapAttribute = getRoleNameLdapAttribute(userFederationMapperModel);
        String membershipLdapAttribute = getMembershipLdapAttribute(userFederationMapperModel);
        lDAPQuery.addReturningLdapAttribute(roleNameLdapAttribute);
        lDAPQuery.addReturningLdapAttribute(membershipLdapAttribute);
        return lDAPQuery;
    }

    protected RoleContainerModel getTargetRoleContainer(UserFederationMapperModel userFederationMapperModel, RealmModel realmModel) {
        if (parseBooleanParameter(userFederationMapperModel, USE_REALM_ROLES_MAPPING)) {
            return realmModel;
        }
        String str = (String) userFederationMapperModel.getConfig().get(CLIENT_ID);
        if (str == null) {
            throw new ModelException("Using client roles mapping is requested, but parameter client.id not found!");
        }
        ClientModel clientByClientId = realmModel.getClientByClientId(str);
        if (clientByClientId == null) {
            throw new ModelException("Can't found requested client with clientId: " + str);
        }
        return clientByClientId;
    }

    protected String getRolesDn(UserFederationMapperModel userFederationMapperModel) {
        String str = (String) userFederationMapperModel.getConfig().get(ROLES_DN);
        if (str == null) {
            throw new ModelException("Roles DN is null! Check your configuration");
        }
        return str;
    }

    protected String getRoleNameLdapAttribute(UserFederationMapperModel userFederationMapperModel) {
        String str = (String) userFederationMapperModel.getConfig().get(ROLE_NAME_LDAP_ATTRIBUTE);
        return str != null ? str : "cn";
    }

    protected String getMembershipLdapAttribute(UserFederationMapperModel userFederationMapperModel) {
        String str = (String) userFederationMapperModel.getConfig().get(MEMBERSHIP_LDAP_ATTRIBUTE);
        return str != null ? str : "member";
    }

    protected Collection<String> getRoleObjectClasses(UserFederationMapperModel userFederationMapperModel, LDAPFederationProvider lDAPFederationProvider) {
        String str = (String) userFederationMapperModel.getConfig().get(ROLE_OBJECT_CLASSES);
        if (str == null) {
            str = lDAPFederationProvider.getLdapIdentityStore().getConfig().isActiveDirectory() ? "group" : "groupOfNames";
        }
        String[] split = str.split(",");
        HashSet hashSet = new HashSet();
        for (String str2 : split) {
            String trim = str2.trim();
            if (trim.length() > 0) {
                hashSet.add(trim);
            }
        }
        return hashSet;
    }

    private Mode getMode(UserFederationMapperModel userFederationMapperModel) {
        String str = (String) userFederationMapperModel.getConfig().get(MODE);
        if (str == null || str.isEmpty()) {
            throw new ModelException("Mode is missing! Check your configuration");
        }
        return (Mode) Enum.valueOf(Mode.class, str.toUpperCase());
    }

    public LDAPObject createLDAPRole(UserFederationMapperModel userFederationMapperModel, String str, LDAPFederationProvider lDAPFederationProvider) {
        LDAPObject lDAPObject = new LDAPObject();
        String roleNameLdapAttribute = getRoleNameLdapAttribute(userFederationMapperModel);
        lDAPObject.setRdnAttributeName(roleNameLdapAttribute);
        lDAPObject.setObjectClasses(getRoleObjectClasses(userFederationMapperModel, lDAPFederationProvider));
        lDAPObject.setSingleAttribute(roleNameLdapAttribute, str);
        LDAPDn fromString = LDAPDn.fromString(getRolesDn(userFederationMapperModel));
        fromString.addFirst(roleNameLdapAttribute, str);
        lDAPObject.setDn(fromString);
        logger.infof("Creating role [%s] to LDAP with DN [%s]", str, fromString.toString());
        lDAPFederationProvider.getLdapIdentityStore().add(lDAPObject);
        return lDAPObject;
    }

    public void addRoleMappingInLDAP(UserFederationMapperModel userFederationMapperModel, String str, LDAPFederationProvider lDAPFederationProvider, LDAPObject lDAPObject) {
        LDAPObject loadLDAPRoleByName = loadLDAPRoleByName(userFederationMapperModel, lDAPFederationProvider, str);
        if (loadLDAPRoleByName == null) {
            loadLDAPRoleByName = createLDAPRole(userFederationMapperModel, str, lDAPFederationProvider);
        }
        Set<String> existingMemberships = getExistingMemberships(userFederationMapperModel, loadLDAPRoleByName);
        Iterator<String> it = existingMemberships.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            String next = it.next();
            if (next.trim().length() == 0) {
                existingMemberships.remove(next);
                break;
            }
        }
        existingMemberships.add(lDAPObject.getDn().toString());
        loadLDAPRoleByName.setAttribute(getMembershipLdapAttribute(userFederationMapperModel), existingMemberships);
        lDAPFederationProvider.getLdapIdentityStore().update(loadLDAPRoleByName);
    }

    public void deleteRoleMappingInLDAP(UserFederationMapperModel userFederationMapperModel, LDAPFederationProvider lDAPFederationProvider, LDAPObject lDAPObject, LDAPObject lDAPObject2) {
        Set<String> existingMemberships = getExistingMemberships(userFederationMapperModel, lDAPObject2);
        existingMemberships.remove(lDAPObject.getDn().toString());
        if (existingMemberships.size() == 0 && !lDAPFederationProvider.getLdapIdentityStore().getConfig().isActiveDirectory()) {
            existingMemberships.add("cn=empty-membership-placeholder");
        }
        lDAPObject2.setAttribute(getMembershipLdapAttribute(userFederationMapperModel), existingMemberships);
        lDAPFederationProvider.getLdapIdentityStore().update(lDAPObject2);
    }

    public LDAPObject loadLDAPRoleByName(UserFederationMapperModel userFederationMapperModel, LDAPFederationProvider lDAPFederationProvider, String str) {
        LDAPQuery createRoleQuery = createRoleQuery(userFederationMapperModel, lDAPFederationProvider);
        createRoleQuery.where(new LDAPQueryConditionsBuilder().equal(new QueryParameter(getRoleNameLdapAttribute(userFederationMapperModel)), str));
        return createRoleQuery.getFirstResult();
    }

    protected Set<String> getExistingMemberships(UserFederationMapperModel userFederationMapperModel, LDAPObject lDAPObject) {
        Set<String> attributeAsSet = lDAPObject.getAttributeAsSet(getMembershipLdapAttribute(userFederationMapperModel));
        if (attributeAsSet == null) {
            attributeAsSet = new HashSet();
        }
        return attributeAsSet;
    }

    protected List<LDAPObject> getLDAPRoleMappings(UserFederationMapperModel userFederationMapperModel, LDAPFederationProvider lDAPFederationProvider, LDAPObject lDAPObject) {
        LDAPQuery createRoleQuery = createRoleQuery(userFederationMapperModel, lDAPFederationProvider);
        createRoleQuery.where(new LDAPQueryConditionsBuilder().equal(new QueryParameter(getMembershipLdapAttribute(userFederationMapperModel)), lDAPObject.getDn().toString()));
        return createRoleQuery.getResultList();
    }

    @Override // org.keycloak.federation.ldap.mappers.LDAPFederationMapper
    public UserModel proxy(UserFederationMapperModel userFederationMapperModel, LDAPFederationProvider lDAPFederationProvider, LDAPObject lDAPObject, UserModel userModel, RealmModel realmModel) {
        Mode mode = getMode(userFederationMapperModel);
        return mode == Mode.IMPORT ? userModel : new LDAPRoleMappingsUserDelegate(userModel, userFederationMapperModel, lDAPFederationProvider, lDAPObject, realmModel, mode);
    }

    @Override // org.keycloak.federation.ldap.mappers.LDAPFederationMapper
    public void beforeLDAPQuery(UserFederationMapperModel userFederationMapperModel, LDAPQuery lDAPQuery) {
    }
}
